Open Ports on Windows XP

Inside your computer

I wage a constant battle to know everything that is going on in my computer.
Much of this stems from the constant barage of security holes that Microsoft
calls "features" that are enabled by default in Windows XP. Yes, I'm paranoid.
:-) This page aims to be a quick-and-easy reference for what ports are open on
a reasonably standard installation of Windows XP, and what they are used for.

Open ports

To see a list of open ports on Windows XP you can install one of many firewall
applications, or you can go to a command prompt and enter:

netstat -ano

To find the program that is using the port, look at the PID number, then use the
task manager to match the PID with a running process. To get a more detailed
list that includes the EXE file and DLL file names (this takes a bit longer) try this:

netstat -anobv

Port

Description

123

Network Time Protocol used by the Windows Time Service
In theory, this synchronizes with various time servers on the internet. In my
experience, it always synchronizes with time.windows.com no matter how I set
it. I would not have noticed if I weren't running
Kerio Firewall. A bit suspicious, eh?

135

RPC (Remote Procedure Call) and DCOM (Distributed Component Object Model).
RPC and DCOM allow a remote computer to send commands to another computer. This
is used by a variety of Windows-specific services. (See the entry "Anything
>1023" below.) The RPC service is not stoppable (see the section on
unstoppable services.)

137,138,139

File and printer sharing and network name resolution using NetBIOS over TCP.
Windows 2000 and XP use 445 for the file and printer sharing portion, but is
not accessible to Windows NT/'9x systems.

445

File and Printer sharing for Windows 2000 and above. (SMB over TCP)

500

This is IKE (Internet Key Exchange) which is part of the IPsec protocol.
This is handled by LSASS.EXE: Local Security Authority Service. LSASS is also
used for user login authentication, so disabling IPSec closes port 500, but
leaves LSASS running.

Anything >1023

Ports above 1023 are available to applications in general. Any service that
uses RPC will be given a port above 1023. The port number can vary based on
what services are available and what order they start in. Examples include:

The Remote Desktop service that allows you to control your PC remotely.

What is SVCHOST?

You will notice that most ports are held by one of the many instances of
svchost.exe. Most Windows services are not full executables, merely DLLs. These
DLLs must be loaded by a host executable like SVCHOST. This saves system
resources at the expense of security. To determine which services are running
under a specific instance of SVCHOST, open a command prompt and enter:

tasklist /svc

Svchost usually runs as one of three special users: SYSTEM, LOCAL SERVICE, or
NETWORK SERVICE. Unfortunately, even the system administrator does not have
sufficient rights to kill SVCHOST when it runs as one of these three users.

Some services such as RPC are unstoppable. They ignore the stop command, and the
service control manager will refuse to even let you try. Some of these services
cannot even be disabled. I cannot imagine why any service should get such
priveledges. For example, why is the Audio Server unstoppable? Oh no! No audio!